feat(oauth): add oidc username claim (#357)

* feat(oauth): add oidc username claim

* style: remove undefined

backend/prisma/seed/config.seed.ts

@@ -201,6 +201,10 @@ const configVariables: ConfigVariables = {
       type: "string",
       defaultValue: "",
     },
+    "oidc-usernameClaim": {
+      type: "string",
+      defaultValue: "",
+    },
     "oidc-clientId": {
       type: "string",
       defaultValue: "",

backend/src/oauth/provider/genericOidc.provider.ts

@@ -108,6 +108,7 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
   async getUserInfo(
     token: OAuthToken<OidcToken>,
     query: OAuthCallbackDto,
+    claim?: string
   ): Promise<OAuthSignInDto> {
     const idTokenData = this.decodeIdToken(token.idToken);
     // maybe it's not necessary to verify the id token since it's directly obtained from the provider
@@ -122,11 +123,30 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
       throw new ErrorPageException("invalid_token");
     }
 
+    const username = claim
+      ? idTokenData[claim]
+      : idTokenData.name ||
+        idTokenData.nickname ||
+        idTokenData.preferred_username;
+
+    if (!username) {
+      this.logger.error(
+        `Can not get username from ID Token ${JSON.stringify(
+          idTokenData,
+          undefined,
+          2,
+        )}`,
+      );
+      throw new ErrorPageException("cannot_get_user_info", undefined, [
+        `provider_${this.name}`,
+      ]);
+    }
+
     return {
       provider: this.name as any,
       email: idTokenData.email,
       providerId: idTokenData.sub,
-      providerUsername: idTokenData.name,
+      providerUsername: username,
     };
   }
 
@@ -211,5 +231,7 @@ export interface OidcIdToken {
   iat: number;
   email: string;
   name: string;
+  nickname: string;
+  preferred_username: string;
   nonce: string;
 }

backend/src/oauth/provider/oidc.provider.ts

@@ -1,9 +1,12 @@
-import { GenericOidcProvider } from "./genericOidc.provider";
+import { GenericOidcProvider, OidcToken } from "./genericOidc.provider";
 import { Inject, Injectable } from "@nestjs/common";
 import { ConfigService } from "../../config/config.service";
 import { JwtService } from "@nestjs/jwt";
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Cache } from "cache-manager";
+import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
+import { OAuthSignInDto } from "../dto/oauthSignIn.dto";
+import { OAuthToken } from "./oauthProvider.interface";
 
 @Injectable()
 export class OidcProvider extends GenericOidcProvider {
@@ -24,4 +27,13 @@ export class OidcProvider extends GenericOidcProvider {
   protected getDiscoveryUri(): string {
     return this.config.get("oauth.oidc-discoveryUri");
   }
+
+  getUserInfo(
+    token: OAuthToken<OidcToken>,
+    query: OAuthCallbackDto,
+    _?: string,
+  ): Promise<OAuthSignInDto> {
+    const claim = this.config.get("oauth.oidc-usernameClaim") || undefined;
+    return super.getUserInfo(token, query, claim);
+  }
 }